I have a partner who wants to propose a solution that totally isolates the backup infrastructure from the production network. The existing environment is Hyper-V connecting to a NetApp FAS over Fiber Channel. Is there any published design that shows how this might be done?

Maybe I'm way off here since I'm more of a VMware guy, but isn't this basically what the Hyper-V off-host proxy is for? You wire it up for SAN access, give it access to the repo, shove it in Veeam Server's network and call it a day. I mean, there's a bit more with the SAN access obviously, but still, it's the general idea https://helpcenter.veeam.com/docs/backu ... tml?ver=95

Honestly, if they are concerned about protecting the environment, they should think about a lot more than just isolating the backup servers. Just a few things off-hand that would go a lot farther:
- Set up a separate domain for the Hyper-V hosts, and keep the Hyper-V hosts isolated from the VMs and all other user-facing systems on different networks. Veeam could be placed in this network as well.
- Use Shielded VMs to protect the VMs from compromise of the hosts, with TPM-based attestation. This requires another isolated set of servers to run the host guardian service
- Separate admin/user credentials for people with admin access to Hyper-V, Active Directory, Veeam, etc.
- Use Privileged Access Workstations to ensure a careless admin does not get malware on the computer used to access the infrastructure. Jump servers are not the answer!

Thanks guys. Yep, I knew about the off-host proxy and have spoken to them about that, but it's not really designed for isolating traffic (although it will use a separate SAN connection), it just offloads the processing of the backup from the production Hyper-V hosts. What I was really getting at is how to make sure that the backup infrastructure can be isolated from the production infrastructure so that a bad actor infecting production can't get at the backup components. @nmdange, I agree that it won't be completely possible as there always has to be a control/management connection between VBR server and the hosts. I was kind of hoping that Veeam might have already created some kind of whitepaper showing exactly how this could be done without having to lab it. I've already spoken to the customer about things like storage snapshots, air-gapped backup copies, NetApp AltaVault, use of specialised backup appliances (Data Domain, StoreOnce) as part of their anti-malware policy.